UNC1860 is an Iranian MOIS-affiliated threat group that specializes in deploying passive, difficult-to-detect backdoors on internet-facing servers. The group functions as an initial access provider for other Iranian threat actors, deploying HTTPSnoop and PipeSnoop implants that blend with legitimate web server traffic.
| Attribute | Detail |
|---|---|
| Names | UNC1860 / ShroudedSnooper |
| Attribution | Iran (MOIS) |
| Active Since | 2022 |
| Primary Focus | Passive backdoor specialist. Provides initial access to other Iranian APTs. |
Overview
UNC1860 is an Iranian MOIS-affiliated threat group that specializes in deploying passive, difficult-to-detect backdoors on internet-facing servers. The group functions as an initial access provider for other Iranian threat actors, deploying HTTPSnoop and PipeSnoop implants that blend with legitimate web server traffic.
Attribution
UNC1860 / ShroudedSnooper is attributed to Iran (MOIS), active since at least 2022. Passive backdoor specialist. Provides initial access to other Iranian APTs.
Notable Campaigns
- HTTPSnoop passive backdoor deployment on web servers
- PipeSnoop named pipe-based backdoor operations
- Middle East telecom and government targeting
- Initial access provisioning for APT34/OilRig operations
- Exploitation of web-facing Exchange and IIS servers
MITRE ATT&CK Mapping
| Technique ID | Technique | Confidence |
|---|---|---|
T1190 | Exploit Public-Facing Application | High |
T1505 | Server Software Component | High |
T1071 | Application Layer Protocol | High |
T1059 | Command and Scripting Interpreter | High |
T1036 | Masquerading | High |
Detection & Defense
Monitor for the TTPs listed above using your SIEM and EDR platforms. Prioritize patching of internet-facing applications and enforce MFA on all remote access. Mjolnir Security provides continuous threat hunting and monitoring for UNC1860 activity patterns.
Mjolnir Security — Threat Intelligence & Response
Mjolnir Security provides 24/7 threat monitoring, incident response, and threat intelligence services. Contact us for threat hunting specifically targeting UNC1860 TTPs in your environment.
mjolnirsecurity.com — 24/7 Incident Response Hotline: +1 833 403 5875